TECH INTELLIGENCE: Real alarms

Listen to this article

One of the major components of an effective cybersecurity defense involves threat alerts: a Distant Early Warning System that will advise a business if a digital breach is attempted or occurs. No one disputes the value of it—but the challenge is that innocent mistakes can trigger an avalanche of alerts. One of the most common occurs when employees try to access a secured website or a file, are prompted to enter a secondary form of verification as part of a multifactor authentication challenge, and then make an innocent error while entering their credentials. Pow! An alert is triggered, and an investigation is (or should be) launched.

It is not a big deal if this occurs infrequently — and it will likely only be a minor annoyance for the internal or external cybersecurity services team. But what happens when thousands of such alerts come in every day at a large company, and only 100 really represent a potential threat? Even a 20-person business can receive 20 or more alerts daily due to innocent sign-in or other errors.

Unfortunately, at large companies and smaller ones alike, the cybersecurity team can quickly become overwhelmed and start to write off the warnings as false alarms instead of investigating them — at least until they get an unpleasant surprise when a real hacker finally penetrates their system. It is like a modern-day version of the youngster who cried “Wolf!” one too many times.

The solution is not to shut down MFA challenges or ignore alerts but instead fine-tune the defensive system so fewer false positives are generated. An IT support services provider can implement, for example, a security operations center that runs 24/7, monitoring a business’s network and sifting through threat alerts to separate inconsequential log-in errors from genuine hacking attempts — all while generating an activity log that can be reviewed and audited to ensure accuracy and effectiveness.

The challenge to implanting this is one of perception. False alerts are so common that it is easy to dismiss them as inconsequential – and to view the possibility of ignoring a real threat as an “acceptable risk” – or worse, to simply disable MFAs and other defenses. But that kind of approach is like removing a home’s smoke detectors because they go off every time a chicken gets overcooked — putting lives at risk each time a meal is prepared. Similarly, when it comes to protecting sensitive data, there is no “acceptable risk.” Once a cybercriminal cracks a password for a particular file or app, for example, they will try to use it to access countless other entry points, ultimately holding an organization’s data hostage or simply getting a kick out from crippling the company.

Solutions like a security operations center or security incident event monitoring can reduce the number of priority cyber-alerts to a manageable number, as low as seven or eight a month, which can enable a cybersecurity solutions team to rapidly respond, research, and mitigate if needed. Businesses today have so many challenges – from increased competition to supply chain issues – that they do not need to add the headache of cyber-intrusions to their “to-do” list. The alternative, of course, is to passively accept the risk and try to blunt the impact by shelling out funds for a bigger insurance policy.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.